Architecture Overview

Stack

Layer	Technology
Frontend	Next.js 14 (App Router)
Database	PostgreSQL (Supabase)
Cache	Redis (Upstash)
Auth	NextAuth.js + GitHub OAuth
Hosting	Vercel
Payments	Razorpay
Email	Resend

Data Flow

User: npx depgraph check
         │
         ▼
CLI reads package.json / package-lock.json
         │
         ▼
POST /api/scan  ← Auth: API key or session
         │
         ▼
Check Redis cache (24hr TTL per package)
   HIT  → return cached scores
   MISS → fetch signals in parallel:
           GitHub API (commits, contributors, issues)
           npm registry (downloads, metadata)
           OSV.dev (CVE data)
         │
         ▼
Score engine computes health score (0–100)
         │
         ▼
Store in PostgreSQL + Redis
         │
         ▼
Return scored report → CLI (terminal output) or Dashboard (web)

Caching Strategy

Data	TTL	Key pattern
Package score	24h	`pkg:score:npm:{name}`
GitHub signals	6h	`github:repo:{owner}:{repo}`
npm metadata	12h	`npm:meta:{name}`
OSV data	24h	`osv:npm:{name}`
Full scan report	1h	`scan:report:{lockfileHash}`

Rate Limits

GitHub API: 5,000 req/hr (authenticated) — queue pauses at <100 remaining
npm registry: no auth required, generous limits
OSV.dev: free, no auth

Deployment

Web: Vercel (auto-deploys from main)
Cron: Vercel Cron — GET /api/cron/daily-tasks at 08:00 UTC daily
Environment: See .env.example for all required variables